* [syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt
@ 2026-04-19 15:01 syzbot
2026-05-03 13:01 ` syzbot
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: syzbot @ 2026-04-19 15:01 UTC (permalink / raw)
To: linux-kernel, luto, peterz, syzkaller-bugs, tglx
Hello,
syzbot found the following issue on:
HEAD commit: faeab166167f Merge tag 'pinctrl-v7.1-1' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13728836580000
kernel config: https://syzkaller.appspot.com/x/.config?x=916f2f67e70d1263
dashboard link: https://syzkaller.appspot.com/bug?extid=23d7fcd204e3837866ff
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fe08f489aa35/disk-faeab166.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/aef0d8ac5a5a/vmlinux-faeab166.xz
kernel image: https://storage.googleapis.com/syzbot-assets/35d09c9dfe78/bzImage-faeab166.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+23d7fcd204e3837866ff@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline]
irqentry_exit+0x7b/0x760 kernel/entry/common.c:164
sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697
write_comp_data kernel/kcov.c:270 [inline]
__sanitizer_cov_trace_cmp4+0x86/0x90 kernel/kcov.c:288
do_csum lib/checksum.c:68 [inline]
ip_fast_csum+0x24b/0x3f0 lib/checksum.c:99
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:842 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
nsim_dev_trap_report_work+0x8c0/0x1430 drivers/net/netdevsim/dev.c:922
process_one_work kernel/workqueue.c:3302 [inline]
process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3385
worker_thread+0xee4/0x1590 kernel/workqueue.c:3466
kthread+0x53f/0x600 kernel/kthread.c:436
ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4576 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_node_track_caller_noprof+0x4f6/0x1750 mm/slub.c:5403
kmalloc_reserve net/core/skbuff.c:635 [inline]
__alloc_skb+0x90d/0x1190 net/core/skbuff.c:713
alloc_skb include/linux/skbuff.h:1383 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:819 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
nsim_dev_trap_report_work+0x3f2/0x1430 drivers/net/netdevsim/dev.c:922
process_one_work kernel/workqueue.c:3302 [inline]
process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3385
worker_thread+0xee4/0x1590 kernel/workqueue.c:3466
kthread+0x53f/0x600 kernel/kthread.c:436
ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
CPU: 0 UID: 0 PID: 55 Comm: kworker/u8:3 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: events_unbound nsim_dev_trap_report_work
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt
2026-04-19 15:01 [syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt syzbot
@ 2026-05-03 13:01 ` syzbot
2026-05-03 16:52 ` Forwarded: " syzbot
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2026-05-03 13:01 UTC (permalink / raw)
To: linux-kernel, luto, peterz, syzkaller-bugs, tglx, zlatistiv
syzbot has found a reproducer for the following issue on:
HEAD commit: 66edb901bf87 Merge tag 'v7.1-p3' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=107b2dba580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1c3f61154f3bb7e5
dashboard link: https://syzkaller.appspot.com/bug?extid=23d7fcd204e3837866ff
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=126caece580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11f00d06580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9014c04fc561/disk-66edb901.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a96b1e11a924/vmlinux-66edb901.xz
kernel image: https://storage.googleapis.com/syzbot-assets/680236de6331/bzImage-66edb901.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+23d7fcd204e3837866ff@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline]
irqentry_exit+0x7b/0x760 kernel/entry/common.c:164
sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697
encrypted_key_alloc+0x8c9/0xa70 security/keys/encrypted-keys/encrypted.c:641
encrypted_instantiate+0x45e/0x3220 security/keys/encrypted-keys/encrypted.c:812
__key_instantiate_and_link+0xfe/0x5d0 security/keys/key.c:446
__key_create_or_update+0x12c4/0x1500 security/keys/key.c:941
key_create_or_update+0x5f/0x80 security/keys/key.c:1021
__do_sys_add_key security/keys/keyctl.c:134 [inline]
__se_sys_add_key+0x656/0x870 security/keys/keyctl.c:74
__x64_sys_add_key+0xe4/0x150 security/keys/keyctl.c:74
x64_sys_call+0xd3f/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:249
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable dlen created at:
encrypted_key_alloc+0x4f/0xa70 security/keys/encrypted-keys/encrypted.c:586
encrypted_instantiate+0x45e/0x3220 security/keys/encrypted-keys/encrypted.c:812
CPU: 1 UID: 0 PID: 6291 Comm: syz.0.346 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
=====================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Forwarded: Re: [syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt
2026-04-19 15:01 [syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt syzbot
2026-05-03 13:01 ` syzbot
@ 2026-05-03 16:52 ` syzbot
2026-05-03 22:02 ` Forwarded: Re: [PATCH] security/keys/encrypted: encrypted_key_alloc(): fix KMSAN uninit-value on dlen syzbot
2026-05-04 14:16 ` syzbot
3 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2026-05-03 16:52 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt
Author: pardhuvarma.kernel@gmail.com
#syz test
From cdf97dc0c3019448a000ee20b75d2ee7a7ca4bb8 Mon Sep 17 00:00:00 2001
From: PardhuVarma Konduru <pardhuvarma.kernel@gmail.com>
Date: Sun, 3 May 2026 20:45:00 +0530
Subject: [PATCH] security/keys/encrypted: encrypted_key_alloc(): fix KMSAN
uninit-value on dlen
KMSAN reports an uninitialized-value use in encrypted_key_alloc()
due to dlen being referenced in a compound condition when kstrtol()
fails.
Split the condition to ensure dlen is only accessed after successful
initialization.
Preserve original error handling semantics.
Reported-by: syzbot+23d7fcd204e3837866ff@syzkaller.appspotmail.com
Signed-off-by: PardhuVarma Konduru <pardhuvarma.kernel@gmail.com>
---
security/keys/encrypted-keys/encrypted.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/security/keys/encrypted-keys/encrypted.c
b/security/keys/encrypted-keys/encrypted.c
index 56b531587a1e..4bf4b4e8f7b5 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -588,7 +588,9 @@ static struct encrypted_key_payload
*encrypted_key_alloc(struct key *key,
int ret;
ret = kstrtol(datalen, 10, &dlen);
- if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
+ if (ret < 0)
+ return ERR_PTR(-EINVAL);
+ if (dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
return ERR_PTR(-EINVAL);
format_len = (!format) ? strlen(key_format_default) : strlen(format);
--
2.54.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Forwarded: Re: [PATCH] security/keys/encrypted: encrypted_key_alloc(): fix KMSAN uninit-value on dlen
2026-04-19 15:01 [syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt syzbot
2026-05-03 13:01 ` syzbot
2026-05-03 16:52 ` Forwarded: " syzbot
@ 2026-05-03 22:02 ` syzbot
2026-05-04 14:16 ` syzbot
3 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2026-05-03 22:02 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [PATCH] security/keys/encrypted: encrypted_key_alloc(): fix KMSAN uninit-value on dlen
Author: pardhuvarma.kernel@gmail.com
#syz test
KMSAN reports an uninitialized-value use in encrypted_key_alloc()
due to dlen being referenced in a compound condition when kstrtol()
fails.
Split the condition to ensure dlen is only accessed after successful
initialization.
Preserve original error handling semantics.
Reported-by: syzbot+23d7fcd204e3837866ff@syzkaller.appspotmail.com
Signed-off-by: PardhuVarma Konduru <pardhuvarma.kernel@gmail.com>
---
security/keys/encrypted-keys/encrypted.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/security/keys/encrypted-keys/encrypted.c
b/security/keys/encrypted-keys/encrypted.c
index 56b531587a1e..4bf4b4e8f7b5 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -588,7 +588,9 @@ static struct encrypted_key_payload
*encrypted_key_alloc(struct key *key,
int ret;
ret = kstrtol(datalen, 10, &dlen);
- if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
+ if (ret < 0)
+ return ERR_PTR(-EINVAL);
+ if (dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
return ERR_PTR(-EINVAL);
format_len = (!format) ? strlen(key_format_default) : strlen(format);
--
2.54.0
On Mon, May 4, 2026 at 3:22 AM PardhuVarma Konduru <
pardhuvarma.kernel@gmail.com> wrote:
> KMSAN reports an uninitialized-value use in encrypted_key_alloc()
> due to dlen being referenced in a compound condition when kstrtol()
> fails.
>
> Split the condition to ensure dlen is only accessed after successful
> initialization.
>
> Preserve original error handling semantics.
>
> Reported-by: syzbot+23d7fcd204e3837866ff@syzkaller.appspotmail.com
> Signed-off-by: PardhuVarma Konduru <pardhuvarma.kernel@gmail.com>
> ---
> security/keys/encrypted-keys/encrypted.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/security/keys/encrypted-keys/encrypted.c
> b/security/keys/encrypted-keys/encrypted.c
> index 56b531587a1e..4bf4b4e8f7b5 100644
> --- a/security/keys/encrypted-keys/encrypted.c
> +++ b/security/keys/encrypted-keys/encrypted.c
> @@ -588,7 +588,9 @@ static struct encrypted_key_payload
> *encrypted_key_alloc(struct key *key,
> int ret;
>
> ret = kstrtol(datalen, 10, &dlen);
> - if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
> + if (ret < 0)
> + return ERR_PTR(-EINVAL);
> + if (dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
> return ERR_PTR(-EINVAL);
>
> format_len = (!format) ? strlen(key_format_default) :
> strlen(format);
> --
> 2.54.0
>
>
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Forwarded: Re: [PATCH] security/keys/encrypted: encrypted_key_alloc(): fix KMSAN uninit-value on dlen
2026-04-19 15:01 [syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt syzbot
` (2 preceding siblings ...)
2026-05-03 22:02 ` Forwarded: Re: [PATCH] security/keys/encrypted: encrypted_key_alloc(): fix KMSAN uninit-value on dlen syzbot
@ 2026-05-04 14:16 ` syzbot
3 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2026-05-04 14:16 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [PATCH] security/keys/encrypted: encrypted_key_alloc(): fix KMSAN uninit-value on dlen
Author: pardhuvarma.kernel@gmail.com
#syz test
On Mon, May 4, 2026 at 7:45 PM PardhuVarma Konduru <
pardhuvarma.kernel@gmail.com> wrote:
> KMSAN reports an uninitialized-value use in encrypted_key_alloc()
> due to dlen being referenced in a compound condition when kstrtol()
> fails.
>
> Split the condition to ensure dlen is only accessed after successful
> initialization.
>
> Preserve original error handling semantics.
>
> Reported-by: syzbot+23d7fcd204e3837866ff@syzkaller.appspotmail.com
> Signed-off-by: PardhuVarma Konduru <pardhuvarma.kernel@gmail.com>
> ---
> security/keys/encrypted-keys/encrypted.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/security/keys/encrypted-keys/encrypted.c
> b/security/keys/encrypted-keys/encrypted.c
> index 56b531587a1e..4bf4b4e8f7b5 100644
> --- a/security/keys/encrypted-keys/encrypted.c
> +++ b/security/keys/encrypted-keys/encrypted.c
> @@ -588,7 +588,9 @@ static struct encrypted_key_payload
> *encrypted_key_alloc(struct key *key,
> int ret;
>
> ret = kstrtol(datalen, 10, &dlen);
> - if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
> + if (ret < 0)
> + return ERR_PTR(-EINVAL);
> + if (dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
> return ERR_PTR(-EINVAL);
>
> format_len = (!format) ? strlen(key_format_default) :
> strlen(format);
> --
> 2.54.0
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-05-04 14:16 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-19 15:01 [syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt syzbot
2026-05-03 13:01 ` syzbot
2026-05-03 16:52 ` Forwarded: " syzbot
2026-05-03 22:02 ` Forwarded: Re: [PATCH] security/keys/encrypted: encrypted_key_alloc(): fix KMSAN uninit-value on dlen syzbot
2026-05-04 14:16 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox